Apple’s Being Sued Over One of Its Best Security Measures: 2FA

Emails, passwords and other login credentials are frequently stolen in data breaches and through phishing campaigns. Once they have access to that information, malicious entities can pretty easily hijack an account.

But with two-factor authentication (2FA) enabled, those entities would need a trusted device or phone number to actually gain access. Bad actors are developing methods to bypass that requirement, but it’s still an additional safeguard. While 2FA isn’t perfect, it’s a lot better than relying on a password alone.

And now a California man is suing Apple because he thinks its two-factor authentication measure takes too much time and is too restrictive.

The class-action lawsuit, filed by Jay Brodsky in California, alleges that Apple enabled two-factor authentication on the plaintiff’s account without his explicit consent. (It’s worth noting that the feature is actually only offered on an opt-in basis.)

On the other hand, the lawsuit also claims that two-factor authentication is too inconvenient to actually set up — requiring several steps on several devices.

More than that, the suit claims that the security measure is too inconvenient. Or, as it’s put in the complaint, two-factor authentication “imposes an extraneous logging in procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number.” (This is how 2FA is intended to work, mind you.)

Brodsky also alleges that Apple has a “coercive” policy of not letting users disable 2FA after it’s enabled. That much is actually true. But again, Apple needs a user to willingly activate 2FA — and it even offers a two-week grace period in which that feature can be deactivated.

There are other more dubious claims in the lawsuit, too. For example, the lawsuit claims that 2FA is required every time an Apple device is turned on and that the authentication process takes two to five minutes to actually complete. Both of those claims aren’t true by any stretch of the imagination.

Amusingly, Brodsky even goes on to claim that there are “millions” of Apple users who are suffering “harm” and “economic losses” because 2FA wastes their time and interferes with the routine use of their devices.

Specifically, Brodsky is seeking damages and a ruling that would prevent Apple from “not allowing a user to choose its own logging and security procedures.”